1933603 - Assertion failure: !gfxFontUtils::IsInServoTraversal(), at /builds/worker/checkouts/gecko/gfx/thebes/gfxUserFontSet.cpp:267

Status: NEW

(Core :: Graphics: Text, defect)

Description

[Tyson Smith [:tsmith]]

Found while fuzzing m-c 20241106-66c06d5d735b (--enable-debug --enable-fuzzing)

This as been consistency reported by fuzzers.
I don't have a test case but a Pernosco session is available here: https://pernos.co/debug/l_Ynke60PhW8Dkirmbu1yg/index.html

Assertion failure: !gfxFontUtils::IsInServoTraversal(), at /builds/worker/checkouts/gecko/gfx/thebes/gfxUserFontSet.cpp:267

#0 0x76bf84d8ef2e in ~gfxUserFontFamily /builds/worker/checkouts/gecko/gfx/thebes/gfxUserFontSet.cpp:267:3
#1 0x76bf84d8ef2e in gfxUserFontFamily::~gfxUserFontFamily() /builds/worker/checkouts/gecko/gfx/thebes/gfxUserFontSet.cpp:265:41
#2 0x76bf84d83299 in Release /builds/worker/checkouts/gecko/gfx/thebes/gfxFontEntry.h:969:3
#3 0x76bf84d83299 in gfxFontGroup::FamilyFace::~FamilyFace() /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.h:1212:9
#4 0x76bf84d81217 in Destruct /builds/worker/workspace/obj-build/dist/include/nsTArray.h:641:45
#5 0x76bf84d81217 in DestructRange /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2427:7
#6 0x76bf84d81217 in ClearAndRetainStorage /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1479:5
#7 0x76bf84d81217 in ~nsTArray_Impl /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1033:7
#8 0x76bf84d81217 in gfxFontGroup::~gfxFontGroup() /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:1884:1
#9 0x76bf84d81427 in gfxFontGroup::~gfxFontGroup() /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:1881:31
#10 0x76bf847dd1a7 in Release /builds/worker/workspace/obj-build/dist/include/gfxFont.h:619:3
#11 0x76bf847dd1a7 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:40
#12 0x76bf847dd1a7 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:409:36
#13 0x76bf847dd1a7 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:80:7
#14 0x76bf847dd1a7 in nsFontMetrics::~nsFontMetrics() /builds/worker/checkouts/gecko/gfx/src/nsFontMetrics.cpp:159:1
#15 0x76bf847dcc2a in nsFontMetrics::Release() /builds/worker/workspace/obj-build/dist/include/nsFontMetrics.h:75:3
#16 0x76bf847dc100 in nsFontCache::Flush(int) /builds/worker/checkouts/gecko/gfx/src/nsFontCache.cpp:175:5
#17 0x76bf847dc560 in nsFontCache::GetMetricsFor(nsFont const&, nsFontMetrics::Params const&) /builds/worker/checkouts/gecko/gfx/src/nsFontCache.cpp:112:7
#18 0x76bf8935a4e8 in GetMetricsFor /builds/worker/checkouts/gecko/layout/base/nsPresContext.cpp:896:22
#19 0x76bf8935a4e8 in nsLayoutUtils::GetMetricsFor(nsPresContext*, bool, nsStyleFont const*, mozilla::StyleCSSPixelLength, bool) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:9594:24
#20 0x76bf891e2ac8 in Gecko_GetFontMetrics /builds/worker/checkouts/gecko/layout/style/GeckoBindings.cpp:1303:30
#21 0x76bf8dcbfaf3 in style::gecko::media_queries::Device::query_font_metrics::h9c0cde55de44bf98 /builds/worker/checkouts/gecko/servo/components/style/gecko/media_queries.rs:239:13
#22 0x76bf8dbc0437 in style::values::computed::Context::query_font_metrics::h78e35c8fe67466d5 /builds/worker/checkouts/gecko/servo/components/style/values/computed/mod.rs:393:9
#23 0x76bf8dcabaeb in style::properties::cascade::Cascade::recompute_math_font_size_if_needed::hd1d70f273d538ef9 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:1354:36
#24 0x76bf8dcabaeb in style::properties::cascade::Cascade::apply_prioritary_properties::h1fac190865ee8739 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:800:13
#25 0x76bf8d7e9f07 in style::properties::cascade::apply_declarations::h7054e25835857b61 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:334:13
#26 0x76bf8d866a93 in style::properties::cascade::cascade_rules::h7740f10fa9ea584f /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:198:5
#27 0x76bf8d866a93 in style::properties::cascade::cascade::h1b034fe9c7459e97 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:82:5
#28 0x76bf8d866a93 in style::stylist::Stylist::cascade_style_and_visited::hf7d5884aa9ade513 /builds/worker/checkouts/gecko/servo/components/style/stylist.rs:1271:9
#29 0x76bf8d839c6e in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_style_and_visited::h30eee7044db5e663 /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:382:22
#30 0x76bf8d838b90 in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_primary_style::hbe2ef7ea8ff44d2b /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:277:20
#31 0x76bf8d839d83 in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_styles_with_default_parents::_$u7b$$u7b$closure$u7d$$u7d$::h698d1e356714718b /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:411:33
#32 0x76bf8d83700e in style::style_resolver::with_default_parent_styles::h8564055887195c12 /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:139:5
#33 0x76bf8d86f5ae in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_styles_with_default_parents::hf89ee5458b0dad36 /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:410:9
#34 0x76bf8d86f5ae in style::traversal::compute_style::hb3968e42a654a719 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:661:26
#35 0x76bf8d86d2be in style::traversal::recalc_style_at::h1775a7373f99a07b /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:432:13
#36 0x76bf8d86d2be in _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::he17d7a4c8f5f2adf /builds/worker/checkouts/gecko/servo/components/style/gecko/traversal.rs:37:13
#37 0x76bf8d86d2be in style::parallel::style_trees::h49f21ea7b0303caa /builds/worker/checkouts/gecko/servo/components/style/parallel.rs:158:9
#38 0x76bf8d8450a1 in style::driver::traverse_dom::_$u7b$$u7b$closure$u7d$$u7d$::h92652090c1430769 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:138:9
#39 0x76bf8d8442c6 in style::driver::with_pool_in_place_scope::hb8330a3ee3119bb7 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:57:9
#40 0x76bf8d8442c6 in style::driver::traverse_dom::h9efd4e2601dd10b2 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:127:5
#41 0x76bf8d9134d4 in geckoservo::glue::traverse_subtree::he34fe8c589f1fabc /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:305:5
#42 0x76bf8d913988 in Servo_TraverseSubtree /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:365:5
#43 0x76bf89216d5b in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:831:9
#44 0x76bf892d3847 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3248:20
#45 0x76bf892a6e35 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3381:3
#46 0x76bf892a6186 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4439:37
#47 0x76bf854f60db in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1456:5
#48 0x76bf854f60db in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11298:16
#49 0x76bf8927d22e in MaybeFlush /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:1032:12
#50 0x76bf8927d22e in mozilla::AccessibleCaretManager::MaybeFlushLayout() /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:192:20
#51 0x76bf89281d6f in mozilla::AccessibleCaretManager::DispatchCaretStateChangedEvent(mozilla::dom::CaretChangedReason, nsPoint const*) /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:1415:7
#52 0x76bf8927ce66 in mozilla::AccessibleCaretManager::OnSelectionChanged(mozilla::dom::Document*, mozilla::dom::Selection*, short) /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp
#53 0x76bf85657fbb in mozilla::dom::Selection::NotifySelectionListeners() /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3896:12
#54 0x76bf856609b7 in mozilla::dom::Selection::NotifySelectionListeners(bool) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3824:3
#55 0x76bf85435723 in nsRange::NotifySelectionListenersAfterRangeSet() /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:971:16
#56 0x76bf85463ee9 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#57 0x76bf85463ee9 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#58 0x76bf85463ee9 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#59 0x76bf85463ee9 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#60 0x76bf85463ee9 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#61 0x76bf85463ee9 in apply<nsRange, void (nsRange::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#62 0x76bf85463ee9 in mozilla::detail::RunnableMethodImpl<nsRange*, void (nsRange::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#63 0x76bf852742d5 in nsContentUtils::RemoveScriptBlocker() /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:6185:17
#64 0x76bf854e0625 in mozilla::dom::Document::EndUpdate() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8277:3
#65 0x76bf85792d04 in ~mozAutoDocUpdate /builds/worker/checkouts/gecko/dom/base/mozAutoDocUpdate.h:34:18
#66 0x76bf85792d04 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:2716:5
#67 0x76bf8543c88c in InsertBefore /builds/worker/checkouts/gecko/dom/base/nsINode.h:2275:12
#68 0x76bf8543c88c in AppendChild /builds/worker/checkouts/gecko/dom/base/nsINode.h:2282:12
#69 0x76bf8543c88c in nsRange::CutContents(mozilla::dom::DocumentFragment**, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp
#70 0x76bf8543fbe6 in nsRange::ExtractContents(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsRange.cpp:2128:3
#71 0x76bf85db51a9 in mozilla::dom::Range_Binding::extractContents(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./RangeBinding.cpp:804:83
#72 0x76bf86860fb7 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3290:13
#73 0x76bf8a020d14 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:532:13
#74 0x76bf8a0204f8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:628:12
#75 0x76bf8ab8bc4f in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1683:10